- Best Choice: Upgrade to 6.0.18 (http://tomcat.apache.org) - Hot fix: Disable allowLinking or do not set URIencoding to utf8 in order to avoid this vulnerability. - Tomcat 5.5.x and 4.1.x Users: The fix will be included in the next releases. Please apply the hot fix until next release.

As Apache Security Team, this problem occurs because of JAVA side.If your context.xml or server.xml allows 'allowLinking'and 'URIencoding' as'UTF-8', an attacker can obtain your important system files.(e.g. /etc/passwd)

Exploit

If your webroot directory has three depth(e.g /usr/local/wwwroot), Anattacker can access arbitrary files as below. (Proof-of-concept)